Google security whitepaper

This whitepaper applies to Google Cloud Platform
products described at cloud.google.com. The content contained herein is correct
as of January 2019 and represents the status quo as of the time it was written.
Google's security policies and systems may change going forward, as we
continually improve protection for our customers.

Introduction

Traditionally organizations have looked to the public cloud for cost savings,
or to augment private data center capacity. However, organizations are now
primarily looking to the public cloud for security, realizing that providers can
invest more in people and processes to deliver secure infrastructure.

As a cloud pioneer, Google fully understands the security implications of the
cloud model. Our cloud services are designed to deliver better security than
many traditional on-premises solutions. We make security a priority to protect
our own operations, but because Google runs on the same infrastructure that we
make available to our customers, your organization can directly benefit from
these protections. That's why we focus on security, and protection of data is
among our primary design criteria. Security drives our organizational structure,
training priorities and hiring processes. It shapes our data centers and the
technology they house. It's central to our everyday operations and disaster
planning, including how we address threats. It's prioritized in the way we
handle customer data. And it's the cornerstone of our account controls, our
compliance audits and the certifications we offer our customers.

This paper outlines Google's approach to security and compliance for Google
Cloud, our suite of public cloud products and services. This whitepaper focuses
on security including details on organizational and technical controls regarding
how Google protects your data. Details on compliance and how you can meet
regulatory requirements are covered
here.

Google's security culture

Google has created a vibrant and inclusive security culture for all employees.
The influence of this culture is apparent during the hiring process, employee
onboarding, as part of ongoing training and in company-wide events to raise
awareness.

Employee background checks

Before they join our staff, Google will verify an individual's education and
previous employment, and perform internal and external reference checks. Where
local labor law or statutory regulations permit, Google may also conduct
criminal, credit, immigration, and security checks. The extent of these
background checks is dependent on the desired position.

Security training for all employees

All Google employees undergo security training as part of the orientation
process and receive ongoing security training throughout their Google careers.
During orientation, new employees agree to our Code of Conduct, which highlights
our commitment to keep customer information safe and secure. Depending on their
job role, additional training on specific aspects of security may be required.
For instance, the information security team instructs new engineers on topics
like secure coding practices, product design and automated vulnerability testing
tools. Engineers also attend technical presentations on security-related topics
and receive a security newsletter that covers new threats, attack patterns,
mitigation techniques and more.

Internal security and privacy events

Google hosts regular internal conferences to raise awareness and drive
innovation in security and data privacy, which are open to all employees.
Security and privacy is an ever-evolving area, and Google recognizes that
dedicated employee engagement is a key means of raising awareness. One example
is "Privacy Week," during which Google hosts events across global offices to
raise awareness of privacy in all facets, from software development, data
handling and policy enforcement to living our privacy principles. Google also
hosts regular "Tech Talks" focusing on subjects that often include security and
privacy.

Our dedicated security team

Google employs security and privacy professionals, who are part of our software
engineering and operations division. Our team includes some of the world's
foremost experts in information, application and network security. This team is
tasked with maintaining the company's defense systems, developing security
review processes, building security infrastructure and implementing Google's
security policies. Google's dedicated security team actively scans for security
threats using commercial and custom tools, penetration tests, quality assurance
(QA) measures and software security reviews.

Within Google, members of the information security team review security plans
for all networks, systems and services. They provide project-specific consulting
services to Google's product and engineering teams. They monitor for suspicious
activity on Google's networks, address information security threats, perform
routine security evaluations and audits, and engage outside experts to conduct
regular security assessments. We specifically built a full-time team, known as
Project Zero,
that aims to prevent targeted attacks by reporting bugs to software vendors and
filing them in an external database.

The security team also takes part in research and outreach activities to
protect the wider community of Internet users, beyond just those who choose
Google solutions. Some examples of this research would be the discovery of the
POODLE SSL 3.0 exploit and cipher suite weaknesses. The security team also
publishes security research papers, available to the public. The security team
also organizes and participates in open-source projects and academic
conferences.

Our dedicated privacy team

The Google privacy team operates separately from product development and
security organizations, but participates in every Google product launch by
reviewing design documentation and performing code reviews to ensure that
privacy requirements are followed. They help release products that reflect
strong privacy standards: transparent collection of user data and providing
users and administrators with meaningful privacy configuration options, while
continuing to be good stewards of any information stored on our platform. After
products launch, the privacy team oversees automated processes that audit data
traffic to verify appropriate data usage. In addition, the privacy team conducts
research providing thought leadership on privacy best practices for our emerging
technologies.

Internal audit and compliance specialists

Google has a dedicated internal audit team that reviews compliance with
security laws and regulations around the world. As new auditing standards are
created, the internal audit team determines what controls, processes, and
systems are needed to meet them. This team facilitates and supports independent
audits and assessments by third parties.

Collaboration with the security research community

Google has long enjoyed a close relationship with the security research
community, and we greatly value their help identifying vulnerabilities in Google
Cloud and other Google products. Our
Vulnerability Reward Program
encourages researchers to report design and implementation issues that may put
customer data at risk, offering rewards in the tens of thousands of dollars. In
Chrome, for instance, we warn users against malware and phishing, and offer
rewards for finding security bugs.

Due to our collaboration with the research community, we've squashed more than
700 Chrome security bugs and have rewarded more than $1.25 million — more than
$2 million has been awarded across Google's various vulnerability rewards
programs. We publicly
thank these individuals
and list them as contributors to our products and services.

Operational security

Far from being an afterthought or the focus of occasional initiatives, security
is an integral part of our operations.

Vulnerability management

Google administrates a vulnerability management process that actively scans for
security threats using a combination of commercially available and purpose-built
in-house tools, intensive automated and manual penetration efforts, quality
assurance processes, software security reviews and external audits. The
vulnerability management team is responsible for tracking and following up on
vulnerabilities. Once a vulnerability requiring remediation has been identified,
it is logged, prioritized according to severity, and assigned an owner. The
vulnerability management team tracks such issues and follows up frequently until
they can verify that the issues have been remediated. Google also maintains
relationships and interfaces with members of the security research community to
track reported issues in Google services and open-source tools. More information
about reporting security issues can be found at Google
Application Security.

Malware prevention

An effective malware attack can lead to account compromise, data theft, and
possibly additional access to a network. Google takes these threats to its
networks and its customers very seriously and uses a variety of methods to
prevent, detect and eradicate malware. Google helps tens of millions of people
every day to protect themselves from harm by showing warnings to users of Google
Chrome, Mozilla Firefox and Apple Safari when they attempt to navigate to
websites that would steal their personal information or install software
designed to take over their computers. Malware sites or email attachments
install malicious software on users' machines to steal private information,
perform identity theft, or attack other computers. When people visit these
sites, software that takes over their computer is downloaded without their
knowledge. Google's malware strategy begins with infection prevention by using
manual and automated scanners to scour Google's search index for websites that
may be vehicles for malware or phishing. Approximately one billion people use
Google's Safe Browsing on a regular basis.
Google's Safe Browsing
technology examines billions of URLs per day looking for unsafe websites. Every
day, we discover thousands of new unsafe sites, many of which are legitimate
websites that have been compromised. When we detect unsafe sites, we show
warnings on Google Search and in web browsers. In addition to our Safe Browsing
solution, Google operates
VirusTotal,
a free online service that analyzes files and URLs enabling the identification
of viruses, worms, trojans and other kinds of malicious content detected by
antivirus engines and website scanners. VirusTotal's mission is to help in
improving the antivirus and security industry and make the Internet a safer
place through the development of free tools and services.

Google makes use of multiple antivirus engines in Gmail, Drive, servers and
workstations to help identify malware that may be missed by antivirus
signatures.

Monitoring

Google's security monitoring program is focused on information gathered from
internal network traffic, employee actions on systems and outside knowledge of
vulnerabilities. At many points across our global network, internal traffic is
inspected for suspicious behavior, such as the presence of traffic that might
indicate botnet connections. This analysis is performed using a combination of
open-source and commercial tools for traffic capture and parsing. A proprietary
correlation system built on top of Google technology also supports this
analysis. Network analysis is supplemented by examining system logs to identify
unusual behavior, such as attempted access of customer data. Google security
engineers place standing search alerts on public data repositories to look for
security incidents that might affect the company's infrastructure. They actively
review inbound security reports and monitor public mailing lists, blog posts,
and wikis. Automated network analysis helps determine when an unknown threat may
exist and escalates to Google security staff, and network analysis is
supplemented by automated analysis of system logs.

Incident management

We have a rigorous incident management process for security events that may
affect the confidentiality, integrity, or availability of systems or data. If an
incident occurs, the security team logs and prioritizes it according to its
severity. Events that directly impact customers are assigned the highest
priority. This process specifies courses of action, procedures for notification,
escalation, mitigation, and documentation. Google's security incident management
program is structured around the NIST guidance on handling incidents (NIST SP
800–61). Key staff are trained in forensics and handling evidence in preparation
for an event, including the use of third-party and proprietary tools. Testing of
incident response plans is performed for key areas, such as systems that store
sensitive customer information. These tests take into consideration a variety of
scenarios, including insider threats and software vulnerabilities. To help
ensure the swift resolution of security incidents, the Google security team is
available 24/7 to all employees. If an incident involves customer data, Google
or its partners will inform the customer and support investigative efforts via
our support team. We outline Google's end-to-end data incident response process
in our
whitepaper.

Technology with security at its core

Google Cloud runs on a technology platform that is conceived, designed and
built to operate securely. Google is an innovator in hardware, software, network
and system management technologies. We custom-designed our servers, proprietary
operating system, and geographically distributed data centers. Using the
principles of "defense in depth," we've created an IT infrastructure that is
more secure and easier to manage than more traditional technologies.

State-of-the-art data centers

Google's focus on security and protection of data is among
our primary design criteria.
Google data center physical security features a layered security model,
including safeguards like custom-designed electronic access cards, alarms,
vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and
the data center floor features laser beam intrusion detection. Our data centers
are monitored 24/7 by high-resolution interior and exterior cameras that can
detect and track intruders. Access logs, activity records, and camera footage
are available in case an incident occurs. Data centers are also routinely
patrolled by experienced security guards who have undergone rigorous background
checks and training. As you get closer to the data center floor, security
measures also increase. Access to the data center floor is only possible via a
security corridor which implements multi-factor access control using security
badges and biometrics. Only approved employees with specific roles may enter.
Less than one percent of Googlers will ever set foot in one of our data centers.

Powering our data centers

To keep things running 24/7 and ensure uninterrupted services, Google's data
centers feature redundant power systems and environmental controls. Every
critical component has a primary and alternate power source, each with equal
power. Diesel engine backup generators can provide enough emergency electrical
power to run each data center at full capacity. Cooling systems maintain a
constant operating temperature for servers and other hardware, reducing the risk
of service outages. Fire detection and suppression equipment helps prevent
damage to hardware. Heat, fire, and smoke detectors trigger audible and visible
alarms in the affected zone, at security operations consoles, and at remote
monitoring desks.

Environmental impact

Google reduces the environmental impact of running our data centers by
designing and building our own facilities. We install smart temperature
controls, use "free-cooling" techniques like using outside air or reused water
for cooling, and redesign how power is distributed to reduce unnecessary energy
loss. To gauge improvements, we calculate the performance of each facility using
comprehensive efficiency measurements. We're the first major Internet services
company to gain external certification of our high environmental, workplace
safety and energy management standards throughout our data centers.
Specifically, we received voluntary ISO 50001 certification and incorporated our
own protocols to go beyond standards.

Custom server hardware and software

Google's data centers house energy-efficient, custom, purpose-built servers and
network equipment that we design and manufacture ourselves. Unlike much
commercially available hardware, Google servers don't include unnecessary
components such as video cards, chipsets, or peripheral connectors, which can
introduce vulnerabilities. Our production servers run a custom-designed
operating system (OS) based on a stripped-down and hardened version of Linux.
Google's servers and their OS are designed for the sole purpose of providing
Google services. Server resources are dynamically allocated, allowing for
flexibility in growth and the ability to adapt quickly and efficiently, adding
or reallocating resources based on customer demand. This homogeneous environment
is maintained by proprietary software that continually monitors systems for
binary modifications. If a modification is found that differs from the standard
Google image, the system is automatically returned to its official state. These
automated, self-healing mechanisms are designed to enable Google to monitor and
remediate destabilizing events, receive notifications about incidents, and slow
down potential compromise on the network.

Hardware tracking and disposal

Google meticulously tracks the location and status of all equipment within our
data centers from acquisition to installation to retirement to destruction, via
barcodes and asset tags. Metal detectors and video surveillance are implemented
to help make sure no equipment leaves the data center floor without
authorization. If a component fails to pass a performance test at any point
during its lifecycle, it is removed from inventory and retired. Google hard
drives leverage technologies like FDE (full disk encryption) and drive locking,
to protect data at rest. When a hard drive is retired, authorized individuals
verify that the disk is erased by writing zeros to the drive and performing a
multiple-step verification process to ensure the drive contains no data. If the
drive cannot be erased for any reason, it is stored securely until it can be
physically destroyed. Physical destruction of disks is a multistage process
beginning with a crusher that deforms the drive, followed by a shredder that
breaks the drive into small pieces, which are then recycled at a secure
facility. Each data center adheres to a strict disposal policy and any variances
are immediately addressed. We outline Google's end-to-end data deletion process
in our
whitepaper.

A global network with unique security benefits

Google's IP data network consists of our own fiber, public fiber, and undersea
cables. This allows us to deliver highly available and low latency services
across the globe.

In other cloud services and on-premises solutions, customer data must make
several journeys between devices, known as "hops," across the public Internet.
The number of hops depends on the distance between the customer's ISP and the
solution's data center. Each additional hop introduces a new opportunity for
data to be attacked or intercepted. Because it's linked to most ISPs in the
world, Google's global network improves the security of data in transit by
limiting hops across the public Internet.

Defense in depth describes the multiple layers of defense that protect Google's
network from external attacks. Only authorized services and protocols that meet
our security requirements are allowed to traverse it; anything else is
automatically dropped. Industry-standard firewalls and access control lists
(ACLs) are used to enforce network segregation. All traffic is routed through
custom GFE (Google Front End) servers to detect and stop malicious requests and
Distributed Denial-of-service (DDoS) attacks. Additionally, GFE servers are only
allowed to communicate with a controlled list of servers internally; this
"default deny" configuration prevents GFE servers from accessing unintended
resources. Logs are routinely examined to reveal any exploitation of programming
errors. Access to networked devices is restricted to authorized personnel.

Securing data in transit

Data is vulnerable to unauthorized access as it travels across the Internet or
within networks. For this reason, securing data in transit is a high priority
for Google. The Google Front End (GFE) servers mentioned previously support
strong encryption protocols such as TLS to secure the connections between
customer devices and Google's web services and APIs. Cloud customers can take
advantage of this encryption for their services running on Google Cloud Platform
by using the
Cloud Load Balancer.
Google Cloud Platform also offers customers additional transport encryption
options, including Cloud VPN for establishing IPSec virtual private
networks. Our
encryption in transit whitepaper
and
application layer transport security whitepaper
provide more in-depth information on this topic.

Low latency and highly available solution

Google designs the components of our platform to be highly redundant. This
redundancy applies to our server design, how we store data, network and Internet
connectivity, and the software services themselves. This "redundancy of
everything" includes the handling of errors by design and creates a solution
that is not dependent on a single server, data center, or network connection.
Google's data centers are geographically distributed to minimize the effects of
regional disruptions on global products such as natural disasters and local
outages. In the event of hardware, software, or network failure, platform
services and control planes are automatically and instantly shifted from one
facility to another so that platform services can continue without interruption.
Google's highly redundant infrastructure also helps customers protect themselves
from data loss. Google Cloud Platform resources can be created and deployed
across multiple regions and zones. Allowing customers to build resilient and
highly available systems.

Our highly redundant design has allowed Google to achieve an uptime of 99.984%
for Gmail for the last years with no scheduled downtime. Simply put, when Google
needs to service or upgrade our platform, users do not experience downtime or
maintenance windows.

Service availability

Some of Google's services may not be available in some jurisdictions. Often
these interruptions are temporary due to network outages, but others are
permanent due to government-mandated blocks. Google's
Transparency Report
also shows
recent and ongoing disruptions of traffic
to Google products. We provide this data to help the public analyze and
understand the availability of online information.

Independent third-party certifications

Google Cloud provides a number of third-party certifications,
detailed here.

Data usage

Our philosophy

Google Cloud customers own their data, not Google. The data that customers put
into our systems is theirs, and we do not scan it for advertisements nor sell it
to third parties. We offer our customers a detailed data processing amendment
for GCP and G Suite, both of which describe our commitment to protecting customer
data. It states that Google will not process data for any purpose other than to
fulfill our contractual obligations. Furthermore, if customers delete their
data, we commit to deleting it from our systems within 180 days. Finally, we
provide tools that make it easy for customers to take their data with them if
they choose to stop using our services, without penalty or additional cost
imposed by Google. Read our
Trust Principles
to learn more about Google Cloud's philosophy and commitments to customers.

Data access and restrictions

Administrative access

To keep data private and secure, Google logically isolates each customer's data
from that of other customers and users, even when it's stored on the same
physical server. Only a small group of Google employees have access to customer
data. For Google employees, access rights and levels are based on their job
function and role, using the concepts of least-privilege and need-to-know to
match access privileges to defined responsibilities. Google employees are only
granted a limited set of default permissions to access company resources, such
as employee email and Google's internal employee portal. Requests for additional
access follow a formal process that involves a request and an approval from a
data or system owner, manager, or other executives, as dictated by Google's
security policies. Approvals are managed by workflow tools that maintain audit
records of all changes. These tools control both the modification of
authorization settings and the approval process to ensure consistent application
of the approval policies. An employee's authorization settings are used to
control access to all resources, including data and systems for Google Cloud
products. Support services are only provided to authorized customer
administrators whose identities have been verified in several ways. Googler
access is monitored and audited by our dedicated security, privacy, and internal
audit teams, and we provide audit logs to customers through
Access Transparency
for GCP.

For customer administrators

Within customer organizations, administrative roles and privileges for Google
Cloud are configured and controlled by the project owner. This means that
individual team members can manage certain services or perform specific
administrative functions without gaining access to all settings and data.

Law enforcement data requests

The customer, as the data owner, is primarily responsible for responding to law
enforcement data requests; however, like other technology and communications
companies, Google may receive direct requests from governments and courts around
the world about how a person has used the company's services. We take measures
to protect customers' privacy and limit excessive requests while also meeting
our legal obligations. Respect for the privacy and security of data you store
with Google remains our priority as we comply with these legal requests. When we
receive such a request, our team reviews the request to make sure it satisfies
legal requirements and Google's policies. Generally speaking, for us to comply,
the request must be made in writing, signed by an authorized official of the
requesting agency and issued under an appropriate law. If we believe a request
is overly broad, we'll seek to narrow it, and we push back often and when
necessary. For example, in 2006 Google was the only major search company that
refused a U.S. government request to hand over two months of user search
queries. We objected to the subpoena, and eventually a court denied the
government's request. In some cases we receive a request for all information
associated with a Google account, and we may ask the requesting agency to limit
it to a specific product or service. We believe the public deserves to know the
full extent to which governments request user information from Google. That's
why we became the first company to start regularly publishing reports about
government data requests. Detailed information about data requests and Google's
response to them is available in our
Transparency Report
and
government requests whitepaper.
It is Google's policy to notify customers about requests for their data unless
specifically prohibited by law or court order.

Third-party suppliers

Google directly conducts virtually all data processing activities to provide
our services. However, Google may engage some third-party suppliers to provide
services related to Google Cloud, including customer and technical support.
Prior to onboarding third-party suppliers, Google conducts an assessment of the
security and privacy practices of third-party suppliers to ensure they provide a
level of security and privacy appropriate to their access to data and the scope
of the services they are engaged to provide. Once Google has assessed the risks
presented by the third-party supplier, the supplier is required to enter into
appropriate security, confidentiality, and privacy contract terms.

Conclusion

The protection of your data is a primary design consideration for all of
Google's infrastructure, products and personnel operations. Our scale of
operations and collaboration with the security research community enable Google
to address vulnerabilities quickly or prevent them entirely.

We believe that Google can offer a level of protection that very few public
cloud providers or private enterprise IT teams can match. Because protecting
data is core to Google's business, we can make extensive investments in
security, resources and expertise at a scale that others cannot. Our investment
frees you to focus on your business and innovation. Data protection is more than
just security. Google's strong contractual commitments make sure you maintain
control over your data and how it is processed, including the assurance that
your data is not used for advertising or any purpose other than to deliver
Google Cloud services.

For these reasons and more, over five million organizations across the globe,
including 64 percent of the Fortune 500, trust Google with their most valuable
asset: their information. Google will continue to invest in our platform to
allow you to benefit from our services in a secure and transparent manner.